Asking for legal advice on NANOG is probably a REALLY REALLY bad idea. Talk to a lawyer in the area(s) you do business.

-jim

On Thu, May 24, 2012 at 9:50 AM, not common <notcommonmistakes [at] gmail> wrote: > Hello, > > I am looking for some guidance on full packet inspection at the ISP level. > > Is there any regulations that prohibit or provide guidance on this?

On 5/24/2012 7:50 AM, not common wrote: > Hello, > > I am looking for some guidance on full packet inspection at the ISP level. > > Is there any regulations that prohibit or provide guidance on this? > . >

Thanks guys, I am looking for stuff to bring to my legal team (which is one guy, that can't spell IP) and VPs.

There has to be some thing out there or is this really a hands of topic?

On Thu, May 24, 2012 at 8:58 AM, -Hammer- <bhmccie [at] gmail> wrote:

> You should be discussing this with inside counsel. Not NANOG. > > -Hammer- > > "I was a normal American nerd" > -Jack Herer > > > > > On 5/24/2012 7:50 AM, not common wrote: > >> Hello, >> >> I am looking for some guidance on full packet inspection at the ISP level. >> >> Is there any regulations that prohibit or provide guidance on this? >> . >> >> >

On 05/24/12 09:13, not common wrote: > Thanks guys, I am looking for stuff to bring to my legal team (which is one > guy, that can't spell IP) and VPs. > > There has to be some thing out there or is this really a hands of topic? > > On Thu, May 24, 2012 at 8:58 AM, -Hammer- <bhmccie [at] gmail> wrote: > >> You should be discussing this with inside counsel. Not NANOG. >> >> -Hammer- >> >> "I was a normal American nerd" >> -Jack Herer >> >> >> >> >> On 5/24/2012 7:50 AM, not common wrote: >> >>> Hello, >>> >>> I am looking for some guidance on full packet inspection at the ISP level. >>> >>> Is there any regulations that prohibit or provide guidance on this? >>> . >>> >>> >>

7. Get with a lawyer who is network-aware. Good luck with that. Maybe try to find a lawyer with a CISSP cert?

--Patrick Darden

On 05/24/2012 08:50 AM, not common wrote: > Hello, > > I am looking for some guidance on full packet inspection at the ISP level. > > Is there any regulations that prohibit or provide guidance on this?

The problem is that it is strictly a jurisdictional question. I'm not trying to throw it back at you. But I can't advise you w/o knowing the specifics of your ISP which I don't want to know. Does that make sense? What country? State? Where's your customer base? Do you have multiple carriers? Do you service DOD? Outside of US? Do you service EU? SWIFT (Financial wires?) etc? Mainly consumer? Commercial? The list could go on.

If you are being prodded by legal on this question then my advice would be to tell them that they have to provide that direction.

If you are being prodded by technology my advice would be to direct them to legal.

You should be picking up a pattern here....

-Hammer-

"I was a normal American nerd" -Jack Herer

On 5/24/2012 8:13 AM, not common wrote: > Thanks guys, I am looking for stuff to bring to my legal team (which > is one guy, that can't spell IP) and VPs. > > There has to be some thing out there or is this really a hands of topic? > > On Thu, May 24, 2012 at 8:58 AM, -Hammer- <bhmccie [at] gmail > <mailto:bhmccie [at] gmail>> wrote: > > You should be discussing this with inside counsel. Not NANOG. > > -Hammer- > > "I was a normal American nerd" > -Jack Herer > > > > > On 5/24/2012 7:50 AM, not common wrote: > > Hello, > > I am looking for some guidance on full packet inspection at > the ISP level. > > Is there any regulations that prohibit or provide guidance on > this? > . > > >

And if your legal can't figure it out that is exactly what "outside counsel" is for.

-Hammer-

"I was a normal American nerd" -Jack Herer

On 5/24/2012 8:22 AM, -Hammer- wrote: > The problem is that it is strictly a jurisdictional question. I'm not > trying to throw it back at you. But I can't advise you w/o knowing the > specifics of your ISP which I don't want to know. Does that make > sense? What country? State? Where's your customer base? Do you have > multiple carriers? Do you service DOD? Outside of US? Do you service > EU? SWIFT (Financial wires?) etc? Mainly consumer? Commercial? The > list could go on. > > If you are being prodded by legal on this question then my advice > would be to tell them that they have to provide that direction. > > If you are being prodded by technology my advice would be to direct > them to legal. > > You should be picking up a pattern here.... > -Hammer- > > "I was a normal American nerd" > -Jack Herer > > > On 5/24/2012 8:13 AM, not common wrote: >> Thanks guys, I am looking for stuff to bring to my legal team (which >> is one guy, that can't spell IP) and VPs. >> >> There has to be some thing out there or is this really a hands of topic? >> >> On Thu, May 24, 2012 at 8:58 AM, -Hammer- <bhmccie [at] gmail >> <mailto:bhmccie [at] gmail>> wrote: >> >> You should be discussing this with inside counsel. Not NANOG. >> >> -Hammer- >> >> "I was a normal American nerd" >> -Jack Herer >> >> >> >> >> On 5/24/2012 7:50 AM, not common wrote: >> >> Hello, >> >> I am looking for some guidance on full packet inspection at >> the ISP level. >> >> Is there any regulations that prohibit or provide guidance on >> this? >> . >> >> >>

Thank you all, this will get me started and @Hammer, I see the trend your talking about.

Cheers,

On Thu, May 24, 2012 at 9:24 AM, <valdis.kletnieks [at] vt> wrote:

> On Thu, 24 May 2012 09:13:16 -0400, not common said: > > Thanks guys, I am looking for stuff to bring to my legal team (which is > one > > guy, that can't spell IP) and VPs. > > You probably want to fix that legal team. If you're an ISP and your legal > eagle > doesn't understand networking, you're opening yourself up to a world of > hurt. > > > There has to be some thing out there or is this really a hands of topic? > > There's a whole mess of applicable laws. Patrick Darden just posed a good > intro as I was writing this. >

On Thu, May 24, 2012 at 08:50:47AM -0400, not common wrote: > Hello, > > I am looking for some guidance on full packet inspection at the ISP level. > > Is there any regulations that prohibit or provide guidance on this?

Unless you are absolutely huge, and maybe even then, you need to worry more about how your customers will perceive this than how law enforcement will perceive this. (I mean, you want to follow the law, sure, but even if it's legal, if it cheeses the customers? well, you have a problem.) More to the point, like most on this list, law isn't my field.

In my experience? customers get really, really uncomfortable with you doing, well, almost anything below the headers. I was talking about doing a inward facing snort IDS (to detect compromised hosts before I got complaints) and got so far as a prototype where I shared the info I recorded about each IP with the customer in question, but talking to customers? this idea was extremely offensive, so the project was quashed.

Now, generally speaking, customers are much more okay with you going through the IP headers. For instance, instead of using an IDS, I could, say, count the number of outgoing connections destined for port 22 or 25, or the same but count how many unique destinations they use (e.g. to avoid MX host or ssh tunneling false positives... both of those use cases would have a lot of connections on those ports, but to a small number of remote hosts.)

From what I've heard customers say, this would likely cause less offense than using snort or the like to do full packet inspection. (it wouldn't be completely inoffensive, but I think that if I wiped the logs often and shared my data with the customer, it sounds like something that customers would tolerate.) I haven't prototyped that system yet, though, so eh, who knows.

On a lighter note, did you know that your company can hold some of us liable depending on what advice we give you and how far you run with it. Just a thought... Overall, I wouldn't choose nanog over google/wikipedia/GROKLAW unless it is something really specific operationally. This isn't really one of those topics. Any lawyer worth his luxury sedan should be able to do his own research. Most of the laws were written by lawyers and judges that don't understand IP (Internet Protocol or Intellectual Property) either so your legal team is in good company.

2012/5/24 not common <notcommonmistakes [at] gmail>

> Hello, > > I am looking for some guidance on full packet inspection at the ISP level. > > Is there any regulations that prohibit or provide guidance on this? > >

On 5/24/12, not common <notcommonmistakes [at] gmail> wrote: [snip > I am looking for some guidance on full packet inspection at the ISP level. Aside from any legal issue; there is a "respectable practices" issue. Even if there is no regulation that prohibits something does not mean it is OK. Your customers' deserve to be made aware of any full packet capture practices that may impact traffic to/from network they own/manage, before packet capture occurs, especially when there is data retention, or human examination/analysis based on contents of large numbers of packets; otherwise there is a risk you will be in trouble, for some definition of "in trouble" that depends on the circumstances.

Because your packet interception can put your user at risk; proprietary information can be disclosed. And most ISP customers intend to purchase network connectivity service, not "record all my traffic without telling me" service ..

Are you prepared to explicitly explain to your customers, both existing, and new ones, before they are allowed to buy or continue service from you -- under what circumstances you intercept full packets, whose packets do you capture, what packets do you capture, how many packets / how long will you capture their packets, what do you do with their contents after you capture them, how long do you keep data, what security controls do you have in place to prevent unauthorized access to their packets and ensure timely destruction of sensitive data?

If the answer is NO, that you have poor planning, or your privacy practices are not solid enough to reveal to your customers with confidence, then save the money on consulting lawyers, by choosing NOT to implement interception and capture of full packets.

> Is there any regulations that prohibit or provide guidance on this? -- -JH

On Thu, May 24, 2012 at 08:37:52PM -0500, Jimmy Hess wrote: > On 5/24/12, not common <notcommonmistakes [at] gmail> wrote: > [snip > > I am looking for some guidance on full packet inspection at the ISP level. > Aside from any legal issue; there is a "respectable practices" > issue. Even if there is no regulation that prohibits something does > not mean it is OK. Your customers' deserve to be made aware of any > full packet capture practices that may impact traffic to/from network > they own/manage, before packet capture occurs, especially when there > is data retention, or human examination/analysis based on contents of > large numbers of packets; otherwise there is a risk you will be in > trouble, for some definition of "in trouble" that depends on the > circumstances. > > Because your packet interception can put your user at risk; > proprietary information can be disclosed. And most ISP customers > intend to purchase network connectivity service, not "record all my > traffic without telling me" service ..

If you need a call center to handle this just let me know... :) since your call volume is going to spike through the roof.

> > > > Are you prepared to explicitly explain to your customers, both > existing, and new ones, > before they are allowed to buy or continue service from you -- under > what circumstances > you intercept full packets, whose packets do you capture, what > packets do you capture, how many packets / how long will you capture > their packets, what do you do with their contents after you capture > them, how long do you keep data, what security controls do you have > in place to prevent unauthorized access to their packets and > ensure timely destruction of sensitive data? > > > If the answer is NO, that you have poor planning, or your privacy > practices are not solid enough to reveal to your customers with > confidence, then save the money on consulting lawyers, by choosing > NOT to implement interception and capture of full packets. > > > > Is there any regulations that prohibit or provide guidance on this? > -- > -JH

> On 5/24/12, not common <notcommonmistakes [at] gmail> wrote: > [snip >> I am looking for some guidance on full packet inspection at the ISP level. Aside from all of the business and legal sticking points that others have mentioned, there are also the technical aspects of capturing, storing, transporting, analyzing, and managing those packets, and the appliances that do the heavy lifting. As your traffic grows, that problem scales 1:1 linearly, at best, and more likely n:1 linearly, or worse. The added overhead of the infrastructure needed to support this will also make it more difficult to be price-competitive with your peers.

Your sales/marketing/executive staff would have their work cut out for them in trying to explain to existing and prospective customers not only where the value-add is for them, but why that would be worth the significant recurring costs you'd have to charge to cover your overhead and/or maintain your profit margin.

> Aside from all of the business and legal sticking points that others have > mentioned, there are also the technical aspects of capturing, storing, > transporting, analyzing, and managing those packets, and the appliances > that do the heavy lifting. As your traffic grows, that problem scales > 1:1 linearly, at best, and more likely n:1 linearly, or worse. The > added overhead of the infrastructure needed to support this will also make > it more difficult to be price-competitive with your peers.

TL:DR; The reasons for doing this on any kind of general basis have to be *EXCEPTIONALLY* compelling to make a business case for it, apart from any possible legal ramifications.

I used asterisks *and* capital letters; that's about an order of magnitude.

>Hello, > >I am looking for some guidance on full packet inspection at the ISP level. > >Is there any regulations that prohibit or provide guidance on this?

Your better to discuss use cases than technology. E.g. do you plan to do per-user behavioural targeted advertising? To secure the network from DNS changer malware? To block slammer worm? To deploy a session border controller? To deploy a carrier-grade NAT (LSN)? To collect bank information and profit? To enhance the QoS of VoIP? To deploy a transparent web or video cache?

All of them use packet inspection. All can be achieved w/o packet inspection. All of them vary wildly in how people would react :)

So... phrase your question and 'guidance' around the use case, not the method you plan to achieve it today.

On Thu, May 24, 2012 7:36 pm, Jay Ashworth wrote: > ----- Original Message ----- >> From: "Justin M. Streiner" <streiner [at] cluebyfour> >> Aside from all of the business and legal sticking points that others have >> mentioned, there are also the technical aspects of capturing, storing, transporting, analyzing, and managing those packets, and the appliances that do the heavy lifting. As your traffic grows, that problem scales 1:1 linearly, at best, and more likely n:1 linearly, or worse. The added overhead of the infrastructure needed to support this will also make >> it more difficult to be price-competitive with your peers. > TL:DR; The reasons for doing this on any kind of general basis have to be *EXCEPTIONALLY* compelling to make a business case for it, apart from any possible legal ramifications. > I used asterisks *and* capital letters; that's about an order of magnitude. > Don't forget staffing.

I am a little surprised no one has referenced Wired's recent article about Libya's Internet Surveillance systems: